## MODIFIED Requirements ### Requirement: TLS certificate is provisioned via Let's Encrypt The trojan role SHALL use certbot to obtain a TLS certificate for the domain configured on each individual host. After provisioning or renewal, the certificate and key SHALL be copied to `/etc/trojan-go/tls/` so the service user can read them. #### Scenario: Certificate provisioning with per-host domain - **WHEN** the trojan role runs on a host with `trojan_domain: "proxy1.example.com"` - **THEN** certbot obtains a TLS certificate for `proxy1.example.com` - **THEN** the certificate and key are copied to `/etc/trojan-go/tls/` owned by the trojan service user #### Scenario: Certificate provisioning on a second host with different domain - **WHEN** the trojan role runs on a host with `trojan_domain: "proxy2.example.com"` - **THEN** certbot obtains a TLS certificate for `proxy2.example.com` - **THEN** the certificate is independent from other hosts #### Scenario: Certificate auto-renewal - **WHEN** the certificate is within 30 days of expiry - **THEN** certbot renews it automatically - **THEN** a deploy-hook copies the renewed certs to `/etc/trojan-go/tls/` - **THEN** the Trojan service is reloaded after renewal ## ADDED Requirements ### Requirement: Trojan domain is configured per-host Each host in the `trojan` group SHALL define its own `trojan_domain` and `certbot_email` variables in the inventory. The trojan role SHALL fail with a clear error if a host lacks these variables. #### Scenario: Host defines its own domain - **WHEN** a host in inventory has `trojan_domain: "proxy.example.com"` and `certbot_email: "admin@example.com"` - **THEN** the trojan role uses these values for that host #### Scenario: Host missing domain variable - **WHEN** a host in the `trojan` group does not define `trojan_domain` - **THEN** the playbook fails with an error indicating the missing variable #### Scenario: Inventory example shows per-host domain configuration - **WHEN** the user inspects `inventory/hosts.yml.example` - **THEN** it contains per-host `trojan_domain` and `certbot_email` examples